Full Disclosure mailing list archives
RE: IE is just as safe as FireFox
From: "Todd Towles" <toddtowles () brookshires com>
Date: Tue, 16 Nov 2004 08:19:06 -0600
I agree with you, maybe good coding was the wrong word. But you got the idea. IE isn't part of the OS in Microsoft mind...but it is in the customers. You get a new computer and you hear on the TV, not to use IE...because it has holes. A good customer does the right thing and gets another browser and uses that. Not knowing that Outlook and IE problem can hurt them anyways. Microsoft doesn't show separate to the customer - why? Because they people believe want stuff all connected together, which is true. Most of the customers don't see what is happening and it takes professional like us to get the ball rolling...to protect them and us. Microsoft made a bold step by changing security in SP2. It was going to break stuff...and it was stupid to see people yell about that. They told us it would, we knew it would. I am glad to see they are starting to take steps toward a better systems, but Microsoft has room for improvement to say the least.
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of joe Sent: Monday, November 15, 2004 1:26 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] IE is just as safe as FireFoxEverytime a Firefox exploit comes out..there is already a fix... is that magic? No..it is good coding...What? Having a quick fix out is due to low complexity of issue and assisted by a lack of dependencies so you have reduced time for patching and testing. It has nothing to do with code quality. I have seen some extremely good code that hit an issue that took long periods of time to correct due to the complexity of the issue with all of the requirements that had to be stacked up to cause an issue. I have also seen crappy code that could be pretty quickly patched up for various things and often contributed to how crappy it was. Again, code quality and time to patch has nothing to do with each other except if you had great code you wouldn't even have to worry about exploits and patching. Great code, IMO, requires 100% assertions of all incoming data and NO ONE does that. Programmers assume that incoming data will fit in a specific range and go with it. At some point we as developers (some earlier than others) learned that we should at least be checking for data length though that still isn't the full assertion that should be done on the quality and state of the data. One reason for not doing a full assertion is for future flexibility, don't check the data too close so you don't have to recompile for a new use. Mostly it is done because coders just don't think someone will do something so off the wall or are too lazy or too pressed for time to care. Saying that, I agree, as I have stated many times on this list, that IE needs to be backed down. If there has to be some piece of it that absolutely has to be in the OS it should be a very basic very small very simple hello world basic HTML only rendering capability - you get fonts and anchors and not much more - it isn't even possible to execute anything even if the user agrees with a signature in blood. The code being tiny and truly a part of the OS in that it isn't possible to upgrade it to IE version x. It is updated with OS updates. Code so small and tight and well controlled and understood and practically memorized by the developers that MS could put a monetary guarantee behind the ability to exploit it. Say HTTP-EQUIV gets $10 million if he finds a way to crack it and run remote exploit code with a realistic POC. If someone wants a full function IE, they load that separately an dit runs in a sandbox as guest. Personally I never agreed that IE was truly part of the OS. There are some artificial dependencies built in for some of the display stuff like help, etc but NTFS and threading and all of that works just fine without IE. If pulling IE out of the Explorer shell is too difficult. Then I for one would be fully behind a new secure type shell replacement for the Explorer Shell. We had ProgMan Shell for several years then we got the Explorer Shell. Maybe it is time to get a new shell, at least for servers. I was recently in Redmond and the message I kept feeding back over and over again was that we needed a way to not have to load IE onto machines. I am looking to moving forward ideas. If they give me the ability, I am not going to whine why I can't do the same on Win9x or 2K or even XP. So many people bitch on this list about MS supporting legacy stuff and then they or someone else starts bitching that MS isn't back porting the changes. Pick one or the other but keep in mind if things have to keep getting back ported, resources for that aren't moving us forward. I myself, would rather move forward. joe -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Todd Towles Sent: Friday, November 12, 2004 10:10 AM To: Rafel Ivgi, The-Insider; full-disclosure () lists netsys com; Colin.Scott () csplc com Subject: RE: [Full-disclosure] IE is just as safe as FireFox <SNIP> Everytime a Firefox exploit comes out..there is already a fix...is that magic? No..it is good coding... <SNIP> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: IE is just as safe as FireFox, (continued)
- Message not available
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 19)
- RE: IE is just as safe as FireFox joe (Nov 19)
- Re: IE is just as safe as FireFox Vincent Archer (Nov 19)
- Re: IE is just as safe as FireFox bkfsec (Nov 20)
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 22)
- RE: IE is just as safe as FireFox joe (Nov 25)
- Re: IE is just as safe as FireFox DanB UK (Nov 25)
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 27)
- Message not available
- Message not available
- Message not available
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 19)
- RE: IE is just as safe as FireFox Gary E. Miller (Nov 16)
- RE: IE is just as safe as FireFox joe (Nov 17)
- RE: IE is just as safe as FireFox Gary E. Miller (Nov 17)
- RE: IE is just as safe as FireFox joe (Nov 17)
- Re: IE is just as safe as FireFox Georgi Guninski (Nov 18)
- RE: IE is just as safe as FireFox joe (Nov 19)
- Re: IE is just as safe as FireFox Georgi Guninski (Nov 19)
- Re: IE is just as safe as FireFox john morris (Nov 19)
- RE: IE is just as safe as FireFox joe (Nov 20)
- Re: IE is just as safe as FireFox devis (Nov 20)